We're using Apache mod_unique_id
<https://httpd.apache.org/docs/2.4/mod/mod_unique_id.html> to pass in
request IDs to our Rails app with the directive: RequestHeader set
X-Request-Id "%{UNIQUE_ID}e". However,
ActionDispatch::RequestId#make_request_id uses a regex to remove characters
that aren't within a specified character class. The relevant excerpt is
pasted below:
def make_request_id(request_id)
if request_id.presence
request_id.gsub(/[^\w\-]/, "".freeze).first(255)
else
internal_request_id
end
end
Unfortunately for Apache users, mod_unique_id uses characters in the class
[\w\-@]. An excerpt from the module's "Theory" section:
The UNIQUE_ID environment variable is constructed by encoding the 144-bit
(32-bit IP address, 32 bit pid, 32 bit time stamp, 16 bit counter, 32 bit
thread index) quadruple using the alphabet [A-Za-z0-9@-] in a manner
similar to MIME base64 encoding, producing 24 characters. The MIME base64
alphabet is actually [A-Za-z0-9+/] however + and / need to be specially
encoded in URLs, which makes them less desirable
My first inclination is to simply request an expansion of the character
class used to include the at symbol, but I'm wondering what the reason
behind restricting the request ID to [\w\-] was in the first place? Should
it be more permissive in general? If not, it seems reasonable to include
the at symbol, given that it is required by a very common web server
implementation.
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscr...@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.
